| File name: | growpai-Growpaiofficial.zip |
| Full analysis: | https://app.any.run/tasks/816a67f2-ad4c-43bf-96f0-d18dc55af7ab |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | June 05, 2024, 15:30:39 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v1.0 to extract, compression method=store |
| MD5: | DD09C7DF7A481E190772E4BCC852BDA2 |
| SHA1: | F4861BC07D86DC9D9A2214367F6ADCA14888EC5B |
| SHA256: | 126AF32436E21491C5C24B01824661EEDA3CD951D2EBF03AEA2E6511255D4298 |
| SSDEEP: | 98304:BN2/bRTF2auXSyWOCFkmFpmZHthN9xwc/9i7PKN/7JNC2qPp09kquFkOFh3JGBkW:BOIKl+HV0JxbQkQUWoBWoE |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3968)
- loader.exe (PID: 372)
- Inzector_protected.exe (PID: 1856)
Actions looks like stealing of personal data
- loader.exe (PID: 372)
- Inzector_protected.exe (PID: 1856)
Disables Windows Defender
- Inzector_protected.exe (PID: 1856)
- loader.exe (PID: 372)
GROWTOPIA has been detected (YARA)
- loader.exe (PID: 372)
SUSPICIOUS
Reads the Internet Settings
- loader.exe (PID: 372)
- Inzector_protected.exe (PID: 1856)
- powershell.exe (PID: 1132)
- powershell.exe (PID: 824)
Executable content was dropped or overwritten
- loader.exe (PID: 372)
- Inzector_protected.exe (PID: 1856)
Reads settings of System Certificates
- loader.exe (PID: 372)
- Inzector_protected.exe (PID: 1856)
Contacting a server suspected of hosting an CnC
- Inzector_protected.exe (PID: 1856)
- loader.exe (PID: 372)
Starts POWERSHELL.EXE for commands execution
- Inzector_protected.exe (PID: 1856)
- loader.exe (PID: 372)
Query Microsoft Defender preferences
- Inzector_protected.exe (PID: 1856)
- loader.exe (PID: 372)
Using PowerShell to operate with local accounts
- powershell.exe (PID: 824)
- powershell.exe (PID: 1132)
INFO
Manual execution by a user
- loader.exe (PID: 2072)
- loader.exe (PID: 372)
- wmpnscfg.exe (PID: 1580)
- Inzector_protected.exe (PID: 316)
- Inzector_protected.exe (PID: 1856)
Reads the computer name
- loader.exe (PID: 372)
- wmpnscfg.exe (PID: 1580)
- Inzector_protected.exe (PID: 1856)
Checks supported languages
- loader.exe (PID: 372)
- dcd.exe (PID: 2312)
- wmpnscfg.exe (PID: 1580)
- Inzector_protected.exe (PID: 1856)
- dcd.exe (PID: 2012)
Disables trace logs
- loader.exe (PID: 372)
- Inzector_protected.exe (PID: 1856)
Reads Environment values
- loader.exe (PID: 372)
- Inzector_protected.exe (PID: 1856)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3968)
Create files in a temporary directory
- loader.exe (PID: 372)
- Inzector_protected.exe (PID: 1856)
Reads the machine GUID from the registry
- loader.exe (PID: 372)
- Inzector_protected.exe (PID: 1856)
Reads the software policy settings
- loader.exe (PID: 372)
- Inzector_protected.exe (PID: 1856)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 1132)
- powershell.exe (PID: 824)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 10 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | None |
| ZipModifyDate: | 2024:05:22 23:27:40 |
| ZipCRC: | 0x00000000 |
| ZipCompressedSize: | - |
| ZipUncompressedSize: | - |
| ZipFileName: | growpai-Growpaiofficial/ |
Total processes
51
Monitored processes
10
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 316 | "C:\Users\admin\Desktop\growpai-Growpaiofficial\Inzector_protected.exe" | C:\Users\admin\Desktop\growpai-Growpaiofficial\Inzector_protected.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Exit code: 3221226540 Version: 0.0.0.0 Modules
| |||||||||||||||
| 372 | "C:\Users\admin\Desktop\growpai-Growpaiofficial\loader.exe" | C:\Users\admin\Desktop\growpai-Growpaiofficial\loader.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Exit code: 3762504530 Version: 0.0.0.0 Modules
| |||||||||||||||
| 824 | "powershell" Get-MpPreference -verbose | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | Inzector_protected.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 1132 | "powershell" Get-MpPreference -verbose | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | loader.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 1580 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1856 | "C:\Users\admin\Desktop\growpai-Growpaiofficial\Inzector_protected.exe" | C:\Users\admin\Desktop\growpai-Growpaiofficial\Inzector_protected.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Exit code: 3762504530 Version: 0.0.0.0 Modules
| |||||||||||||||
| 2012 | "C:\Users\admin\AppData\Local\Temp\dcd.exe" -path="" | C:\Users\admin\AppData\Local\Temp\dcd.exe | — | Inzector_protected.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 2072 | "C:\Users\admin\Desktop\growpai-Growpaiofficial\loader.exe" | C:\Users\admin\Desktop\growpai-Growpaiofficial\loader.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Exit code: 3221226540 Version: 0.0.0.0 Modules
| |||||||||||||||
| 2312 | "C:\Users\admin\AppData\Local\Temp\dcd.exe" -path="" | C:\Users\admin\AppData\Local\Temp\dcd.exe | — | loader.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 3968 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\growpai-Growpaiofficial.zip | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
Total events
17 872
Read events
17 766
Write events
103
Delete events
3
Modification events
| (PID) Process: | (3968) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3968) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3968) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3968) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3968) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3968) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3968) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\growpai-Growpaiofficial.zip | |||
| (PID) Process: | (3968) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3968) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3968) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
5
Suspicious files
4
Text files
1
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 824 | powershell.exe | C:\Users\admin\AppData\Local\Temp\igxi3lbk.tyr.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
| 1132 | powershell.exe | C:\Users\admin\AppData\Local\Temp\usirfmrp.maa.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
| 3968 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3968.26385\growpai-Growpaiofficial\loader.exe | executable | |
MD5:D364592467B564E21542E9AFF00EB826 | SHA256:21964B29C92A530EF11147CA0AF15B00A2D512F0F2C584C8E55F686E9FD88688 | |||
| 372 | loader.exe | C:\Users\admin\AppData\Local\Temp\dcd.exe | executable | |
MD5:B5AC46E446CEAD89892628F30A253A06 | SHA256:DEF7AFCB65126C4B04A7CBF08C693F357A707AA99858CAC09A8D5E65F3177669 | |||
| 3968 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3968.26385\growpai-Growpaiofficial\Inzector_protected.exe | executable | |
MD5:D364592467B564E21542E9AFF00EB826 | SHA256:21964B29C92A530EF11147CA0AF15B00A2D512F0F2C584C8E55F686E9FD88688 | |||
| 3968 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3968.26385\growpai-Growpaiofficial\Growpai.dll | executable | |
MD5:837CB18A49873FA707088E8F3EBCBC83 | SHA256:D6F6C475977322F3398B804E8E294563A22884D0C4B99370A23F3ACCC882AFA6 | |||
| 1132 | powershell.exe | C:\Users\admin\AppData\Local\Temp\z54lshvz.0sl.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
| 1132 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | dbf | |
MD5:446DD1CF97EABA21CF14D03AEBC79F27 | SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF | |||
| 824 | powershell.exe | C:\Users\admin\AppData\Local\Temp\jn3xdmgv.uwn.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
| 1856 | Inzector_protected.exe | C:\Users\admin\AppData\Local\Temp\dcd.exe | executable | |
MD5:B5AC46E446CEAD89892628F30A253A06 | SHA256:DEF7AFCB65126C4B04A7CBF08C693F357A707AA99858CAC09A8D5E65F3177669 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
13
DNS requests
4
Threats
7
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
372 | loader.exe | GET | 204 | 142.250.185.110:80 | http://google.com/generate_204 | unknown | — | — | unknown |
1856 | Inzector_protected.exe | GET | 204 | 142.250.185.110:80 | http://google.com/generate_204 | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
372 | loader.exe | 142.250.185.110:80 | google.com | GOOGLE | US | unknown |
372 | loader.exe | 188.114.97.3:443 | api.imgbb.com | CLOUDFLARENET | NL | unknown |
1856 | Inzector_protected.exe | 142.250.185.110:80 | google.com | GOOGLE | US | unknown |
1856 | Inzector_protected.exe | 188.114.97.3:443 | api.imgbb.com | CLOUDFLARENET | NL | unknown |
372 | loader.exe | 104.21.20.223:443 | eterprx.net | CLOUDFLARENET | — | unknown |
372 | loader.exe | 172.67.199.29:443 | eternitypr.net | CLOUDFLARENET | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
api.imgbb.com |
| unknown |
eterprx.net |
| malicious |
eternitypr.net |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1088 | svchost.exe | Domain Observed Used for C2 Detected | ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup (eterprx .net) |
372 | loader.exe | Domain Observed Used for C2 Detected | ET MALWARE Observed Win32/Eternity Stealer Domain (eterprx .net in TLS SNI) |
1088 | svchost.exe | Domain Observed Used for C2 Detected | ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup (eternitypr .net) |
372 | loader.exe | Domain Observed Used for C2 Detected | ET MALWARE Observed Win32/Eternity Stealer Domain (eternitypr .net in TLS SNI) |
1856 | Inzector_protected.exe | Domain Observed Used for C2 Detected | ET MALWARE Observed Win32/Eternity Stealer Domain (eterprx .net in TLS SNI) |
1856 | Inzector_protected.exe | Domain Observed Used for C2 Detected | ET MALWARE Observed Win32/Eternity Stealer Domain (eternitypr .net in TLS SNI) |
1 ETPRO signatures available at the full report